#cybersecurity

This works for me:

>>> headers = {'User-Agent': 'Python Discord Test'}
>>> requests.get("https://haveibeenpwned.com/api/v2/breachedaccount/<one_of_my_accounts_here>", headers=headers)
<Response [200]>

ty

I get a 500

oh wait

I get a 404

wtf

That means there are no entries with that account

oh wait

HIBP used email only right

Try this one:

>>> requests.get("https://haveibeenpwned.com/api/v2/breachedaccount/john.doe@gmail.com", headers=headers)
<Response [200]>

I think so, yes, but I'm not sure.

I see

thanks

So, just in case I can not get my current final project to work, what simple security related Python programs can a intermediate Python user create within like two or three days?

you could do

• packet inspection with scapy
• build port scanners with either socket or scapy or something else
• some ssh or ftp or telnet related stuff
• with a bit of effort maybe some WLAN related stuff
• mitm stuff with scapy
• some fuzzer, maybe even grammar based to generated better fitting data
  the list goes on and on

Possibly a secure passward manager as well

How do I make SSH connections go straight into a python program

you probably want to use paramiko?

I don't want them accessing outside

Can that be dockerized?

as in, do you want a python ssh server?

or to force-run a python application on successful ssh connection?

or make ssh connections using a python ssh client?

2nd one

Someone would SSH in and they would be loaded into python script straight away. This would be wrapped in a docker container too for more "security"

The SSH connections will be public, no password, in a isolated dockerized SSH account

I built something a little bit like this in pure python. Try ssh git.hillsdon.party

so I think you start by writing a python 'shell' to be run on connect

and then brutally lock down the stupidly large selection of options a ssh user has to run stuff

@orchid notch For packet inspection with Scapy, which module should I put on PyCharm? scapy or scapy-python3? Or both? And what things in packets should the program inspect?

I don't know if you can do an 'accept no auth' with openssh

have you checked?

perhaps its a compile time option to prevent shooting yourself in the foot?

^ looks like an easy option to do this actually

@thorn obsidian you could try to re-make various PoCs in python

@cedar pelican this is probably the best prior art: https://github.com/shazow/ssh-chat

Yep. I'm making a chat server haha

But I'm using a database to store message, so it's much smaller code-wise for more functionality

@thorn obsidian Can you explain what that is? Sorry, I am not familiar with it.

@cedar pelican so do you really need all the features of ssh then? you can just make a normal secure connection with a socket library that supports ssl/tls
but you might also check out how stuff like gitosis capture ssh logins on their shell.
i believe most of the features [like proxies/X11 forwarding] you can disable server side and then the ability to run remote commands relies on the shell supporting it

@thorn obsidian idk, try and see what fits you and that's basically up to you, you could do passive port scanning, DNS sniffing, analyzing unencrypted http requests whatever

@gentle heron Yeah. I was thinking making it a website tbh. I think that would be easier.

The important feature I'm showing is the database messaging system

if you like writing js yeah it would be

I might even just making a backend

Backend so you can attach it to anything you want

but if you are willing to make a client, then you dont need ssh and wont need to try to lock down all the extra ssh features

and the client can be an app or even just a web page

Yeah ok, thanks for the advice.

@thorn obsidian Install scapy. scapy-python3 is deprecated since mainline scapy has Python 3 support now.

You could, say, craft custom DNS packets and send data through them as a covert channel.

how can a router firewall interact with the os if it is a router firewall?

Because a router is basically a computer with a single purpose

it contains a operating system aswell

just not one that you are familiar with

It does not interact directly with your computer if that is what u are asking

well, it can interact via protocols like UPNP

that allows your computer to ask the router what the real IP address is, tell it to open a port, etc. @thorn obsidian

When someone uses a Ping of Death DoS, I know that the packet size is greater than 65,536 bytes, but how many packets that size would the attacker send out?

I am going to create a simple DoS attack for my Python final project

Let me reword my question, what is a common amount of packets sent out in a PoD attack?

i mean first of all most systems arent vulnerable to that shit anymore and second, youd just spam and spam and spam until the target is down

@orchid notch What are systems vulnerable to now then?

well they are vulnerable to normal DoS attacks

apache servers might still be vulnerable to slow loris attacks

What DoS methods are systems still vulnerable to?

you wont find the one method against all systems

DoS attacks are always specific to a certain degree

What are common methods then?

well apache servers can be vulnerable to slow loris attacks for example

and you might still be able to get smaller servers down with just spamming over and over

or you could do it like Mirai and attack the DNS servers but that would need a larger capacity of attackers

Would I be in the green zone to use a Slowloris on my AWS EC2 instance?

presumably

I was told I had to get permission from AWS before I do stuff like that >.<

well im not an AWS expert

you could also just host a vm on your machien to demonstrate shit if you wanted to

@orchid notch Last question I have is, is a Windows XP system still vulnerable to a Ping of Death?

the most recent version presumably not

older ones maybe

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021

@thorn obsidian I doubt it

https://www.computerworld.com/article/2510160/microsoft-patches-1990s-era--ping-of-death-.html

Based on that article it might be if there aren't any service packs applied...

or at least not SP2, since IIRC that includes the firewall, which I believe blocks all inbound traffic by default

So, I am just DoSing my Kali Clone system on VMWare for my Adv CyberSec project. I also have to use some sort of countermeasure though. Which ones should I look into? I am using auxiliary/dos/tcp/synflood via Metaploit for the DoS.

https://arstechnica.com/information-technology/2019/05/hackers-breached-3-us-antivirus-companies-researchers-reveal/

O O F

On Kali Linux, how would I block a source IP of a DoS attack?

Hopefully you're not using Kali as your daily system, considering it runs as root by default.

it's a security OS, not a secure OS

👌

@thorn obsidian probably just drop them in iptables

https://serverfault.com/questions/263646/iptables-rule-to-drop-syn-and-fin-attacks

rofl, one of our customers just failed a PCI compliance test because the ISP provided us with a Cisco router that's vulnerable to a CVE

predictable TCP/IP ISN generation

@lusty flare O O F

"oops sorry, my bad"

yaaah

i've gotta get in touch with them and bitch about PCI compliance

i mean technically that means ALL the routers they've supplied are not PCI compliant

but because of the MLP it's not exposed

is there anything else to do apart from iptables -I INPUT 5 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT to allow http traffic

cause its not working for me, only accepts traffic if I turn iptables off

"no route to host"

o

got it

Been toying around with fail2ban filters recently.

The 0.10.* version finally supported supports ipv6 addresses

ok could someone make Cython clear to me? I know it says converting to C and make it fast and secure. But how does the secure thing work? after all it’s importing a model I’m a bit confused on how it works

I’m interested in making my program faster and secure, could anyone explain?

Im not exactly sure how cython makes stuff more secure but the fast part is achieved by compiling the python code into c

@orchid notch now the thing I don’t understand is when that is going into C can we turn that c into an .exe?

no that c is meant to be loaded as a dll or so by other programs, not to be executed on its own

im guessing the having the c file somewhere is required? or not? if so how can I protect it since it’s opened. @orchid notch (very sorry for the constant pings)

@lean storm not it's not, C is a compiled language, you don't need the source files in order to execute it, or do you for example have the source files of your favourite games etc. Laying around?

wish I did

to be honest I dont think the code bases of the majority of modern games are small enough for one human to understand

Well do you think believe that it will do any good to the program? I mean I will have attacker’s on a program that I’m making I am using server side, encryptions, all that good stuff.

I know like everything can be reversed but will this help? Do you use Cython as well for protection?

If this is a server side program you are compiling into C, doing so will have no affect on its security whatsoever.

Assuming of course, this CPython doesn't create any vulnerabilities or remove any by accident when compiling your code into C, which seems highly unlikely to me.

@chilly flame well what I meant for the server side that it uses a link that will make a post request and it will store data there and process it, that’s the thing that is not locally all of the database. Now, the main reason I’m asking this is somehow to hide this link because I know everything on client side could be decrypted. I was thinking of making a hidden process that will run in the background and it will have the link to make a post request when the data is finished collecting, for example login information.

This application I’m basically designing is that special users have an account with they can log in with this desktop software and they can access different types of data.

It doesn't matter how you hide it, if your application has a hardcoded access key or password or whatever for the database it can be found.

You should be using user accounts with restricted privileges.

Make the user provide their own credentials when they attempt to access the database via the app.

well what do you mean? They do have their own credentials when they try to login

Then why are you trying to hide the POST endpoint?

If you need to auth for it, then it doesn't matter if someone can find it.

oh i just realized I could add a cool down system. I was mainly scared that the brute forces will overload it while attempting to attack it.

cool down system that takes like HWID of a computer and if that HWID make more 3 requests , then a cool down will be set for 5 minuets I guess.

Ah I see, you're mainly concerned about your server being DoSed. I would just recommend ensuring the endpoint has good sanitisation and have it ban any users who submit requests more than x amounts of times every y minutes.

Then ignore all POST requests without an auth token.

Unfortunately your HWID idea won't work, your attackers won't be sending you that parameter unless they are attacking through the app (which I assume you intend to use to append the HWID) and even then trimming that from the packets would be trivial.

I would just ignore non authed requests and ban users who hit the system too much. Even if you only ban them for 30-60 seconds that's enough.

well what do you mean? i can set the HWID parameter as a requirement in the server, if it’s not included it would return as invalid or an error

So the next step in my line of thinking as a pentester would be to submit fake HWIDs.

(Also trivial)

i actually did not think of that ....

because yeah they can take the link and do it in their own and not using the application

If I submit fake credentials/auth tokens your server can verify that and ban my IP address easily enough.

Of course then I can use proxies etc etc, fighting off DoS attacks is an interesting affair.

If you are really concerned about being hit hard you need to look into getting proper protection.

If it's just a concern about your DB being flooded or whatever, what I have suggested will be fine.

well thank you so much. you’ve made me realize important issues that are major i don’t know why I didn’t think of that. anyways, thank you appreciate it.

You are most welcome, feel free to ping me any time.

@lean storm In Any client-side stuff can be disassembled given enough time

@chilly flame I've been implementing a system like this for my alert server using fail2ban and a few other things!

Should be done relatively soon-ish, and would defeat anybody being questionable.

Ah nice one, fail2ban looks like a cool tool, I've never used it myself. I work on the other side of the security equation.

What do you mean?

I'm a pentester.

I emphasize security ( https://github.com/Lvl4Sword/Killer for example 😄 ), so I approach everything with it in mind.

fail2ban is pretty great. stretch-backports in Debian finally has a regex for ipv6 natively.

That's great. A lot of software engineers seem to do the exact opposite haha.

Still, makes for plenty of work for me at least 😉

Yeah, PoisonTap/Hak5 Rubber Ducky/etc comes to mind. I'd love to see someone break Killer once it's feature complete. I've got it covering HDMI/3.5mm sound jack on my system, but it's not ready to be deployed for all systems, and probably won't be covered on the 1.0 release

So what exactly is it monitoring for currently? Malicious signatures in firmware or something?

Or is it more of a blacklist on actions HID devices can perform?

Nope, it's whitelist based. USB/Bluetooth both have whitelists and connected whitelists.

Ah lovely, sounds like it could be interesting.

Outside of the whitelists, like battery/cd tray/etc, it is looking for specific state.

Are you doing anything with data exfiltration as well? Particularly on USB.

So if you set it up on a laptop, it may look something like...

• cd tray has to be closed
• no ethernet connected
• no hdmi connected
• battery must be in the device
• power must be connected
• this 1 usb device is allowed to be connected
• that same usb device is in the connected whitelist, so must be connected 24/7
• no bluetooth device allowed to be connected

Or the running of executables from portable devices.

That's outside of the scope of Killer

oooh I gotcha.

So it's hardware state changes, not hardware changing the OS etc.

Exactly. This defeats things like the rubber ducky, poisontap, etc

Strikes me if you really don't want someone plugging USBs into your machines, remove/plug up the USB ports.

Doesn't this essentially prevent new devices from being connected full stop?

Yeah, I was told that in the ##cybersecurity freenode irc. Though, when 2.0 comes out it'll introduce custom commands.

So while you could very easily just fully block USB device on a system rather easily, custom commands give you an easier way to approach it.

For example, it's a device that isn't on the connected whitelist? Don't allow it to be mounted, lol

I see, how are you identifying devices in this scenario? By HWID?

vendor/product ids

Gotcha.

USB-wise, at least. Nothing on USB that can't be spoofed though, so that's a problem.

Naturally I assume these will be hashed when stored.

Though you can approach that with the connected whitelist, and set a variable to the amount of those device with those ids to be connected at once

No need. The program runs as root, and if you can access/change the config there's nothing I can do to protect you.

Then you have issues with not being able to remove a portable device do you not?

If it's in the connected whitelist, you don't intend to disconnect it anyway.

I'd hash 'em anyway if I were you.

If I knew you had a file with all the whitelisted USBs and I needed in, I'd happily take the HDD out for it.

It's not really necessary. Will add additional complexity, especially considering the config is json and is easily editable by anyone who wants to manually play with it.

Well sure, but that's of course implying you don't have FDE 😄

Well this is true, but that is also just one example of how that data might be leaked.

It's like saying "no point hashing the passwords, if someone gets into the DB we're all screwed anyway."

Killer of course implies you're using full disk encryption. Otherwise, when the system shuts down ( which is by default when tampering is detected right now ) you could very easily get anything on the HDD/SDD/whatever hybrid system you have

Gotcha.

Eh, that's not really comparable though. Encrypting passwords is very easy these days. Where as, hashing the configuration is just going to make it impossible to edit manually.

You don't need to hash the whole config 😄 Just the vendor IDs etc.

Whatever your unique identifier for the device is.

Like I said, there wouldn't be much of a reason to do so. FDE coupled with a locked system, or FDE with proper permissions ( which I really hope your users on the system can't access configs for files running as root ) there isn't much snooping that can happen.

@safe bear - Feel free to chime in if you'd like

Well, your choice 😉 Personally I'd do it anyway, paranoia and comprehensiveness and all.

Still, sounds like a somewhat interesting project. I must be going now though, got work in the 'morrow and it's well past midnight.

Best of luck with it!

Thanks! Feel free to check it out more when you get a chance!

Sure, if I get some R&D time away from mobile hacking I'll take a perusal.

Sounds great. Have a good one 😃

You too.

Hashing IDs wouldn't be too difficult to do

Could offer it as an option

For the extra paranoid

I have a question about Brute Forcing algorithms

How does the program know when it has a value that’s correct?

And how does it target a software/site/ whatever it’s brute forcing

well there's often libraries involved that request data from a server, it either refuses login or accepts login... it's not that hard to distinguish messages lol

What about when it’s cracking files passwords

Is it just making a request to the server every time with the new one it comes up with?

I want to understand this so I’m sorry if I’m asking dumbass questions

theres probably a library involved that returns success too for files

and well its really just spamming login requests at a server hoping you have luck

I mean you can do it the weird zz to ZZZZZZZZZZZ way but

its easier to do a dictionary attack tbh

I mean if you try to bruteforce a web panel for example, its going to redirect you to another page if the password is right. If not, try another password

about files idk whats returned, probably something os related

I’m just trying to understand how it knows it’s on the right track for the password

well you don't know you're on the right track until you have the password

So it doesn’t do it one letter at a time?

I haven't ever done A-ZZZZZZZ etc combinations but I just loop through a huge wordlist

well doing that is pretty outdated

I know what a dictionary attack is

you could technically increment 1 letter each time

I haven't seen actual bruteforcing being done ever

waste of resources

Ah

I see

https://stackoverflow.com/questions/35820678/python-increment-characters-in-a-string-by-1

you could increment the next character if you really wanted to bruteforce

https://www.reddit.com/r/sysadmin/comments/boiknf/linux_kernel_prior_to_508_vulnerable_to_remote/ - remote vulnerability in the linux kernel affected all versions from 2.0.40 - 5.0.8

https://www.bleepingcomputer.com/news/security/fxmsp-chat-logs-reveal-the-hacked-antivirus-vendors-avs-respond/ - Trend Micro / McAfee / Symantec ( Norton ) affected

https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html#security-related-consulting and another one

There's more here: https://cpu.fail/

Covers:

ZombieLoad
RIDL
Fallout
Store-To-Leak Forwarding
Meltdown UC

could you use hashcat along the subprocess python module?

subprocess will run pretty much anything and everything.

does anyone know how to check if rds_tcp is enabled

tf lol, does CVE-2019-11815 affect any device using linux kernel before 5.0.8

what came to my mind is ```
pidof rds_tcp
pidof rds_tcp_kill_sock
pidof t_sock

its a kernel module not a program iirc

you can lsmod if it was built as just a module, but if it was compiled in then its a bit harder

also as far as i can tell, it wont be running on basically any system unless the admin intentionally and explicitly enabled it.
its not loaded by default as a module on major distros nor compiled statically on them

oh looks like you dont need root to get the kernel to load it but you do need to already have the ability to execute code on the system

so blacklist it if its built as a module, rebuild kernel/switch distro if its compiled in

I doubt im able to blacklist without sudo perms

but thanks thats reassuring

if you dont have root access to the server its generally someone elses job to fix this problem

allright

well this is a home laptop but yea lol

has anyone ever found a good alternative to zmap that runs on OpenVZ

Quick Question.. I'm an upcoming freshman in college. I will be studying Info sec&Info Tech. Will this prepare me for this data science field if I chose this path?

prepare you for "this data science field"?
If you mean data science in general then very likely not, after all youre studying IT security and not data science those are usually not that much related to each other

@orchid notch okay thanks..

Would it prepare me for cybersecurity?

I mean I dont really see how these are connected to each other

yeah thats probably more the case ....but wouldnt you just check the contents of what youre studying before going in there lol?

https://thehackernews.com/2019/05/stack-overflow-databreach.html

@green prairie Didn't affect anything, though.

We can now confirm that our investigation suggests the requests in question affected approximately 250 public network users.

Can anyone recommend libraries or open source Python tools that can attribute network connections with processes?

@hybrid axle netstat -tup

@hybrid axle https://psutil.readthedocs.io/en/latest/index.html?highlight=socket#psutil.net_connections

From the docs:

>>> import psutil
>>> psutil.net_connections()
[pconn(fd=115, family=<AddressFamily.AF_INET: 2>, type=<SocketType.SOCK_STREAM: 1>, laddr=addr(ip='10.0.0.1', port=48776), raddr=addr(ip='93.186.135.91', port=80), status='ESTABLISHED', pid=1254),
 pconn(fd=117, family=<AddressFamily.AF_INET: 2>, type=<SocketType.SOCK_STREAM: 1>, laddr=addr(ip='10.0.0.1', port=43761), raddr=addr(ip='72.14.234.100', port=80), status='CLOSING', pid=2987),
 pconn(fd=-1, family=<AddressFamily.AF_INET: 2>, type=<SocketType.SOCK_STREAM: 1>, laddr=addr(ip='10.0.0.1', port=60759), raddr=addr(ip='72.14.234.104', port=80), status='ESTABLISHED', pid=None),
 pconn(fd=-1, family=<AddressFamily.AF_INET: 2>, type=<SocketType.SOCK_STREAM: 1>, laddr=addr(ip='10.0.0.1', port=51314), raddr=addr(ip='72.14.234.83', port=443), status='SYN_SENT', pid=None)
 ...]

@safe bear psutil is trash though, considering it won't give you the full command parameters.

Huh?

Well, let me see

Oh, yeah, it's cross-platform

¯_(ツ)_/¯

If you are linux only and like wasting time, then use netstat directly and parse the output

If you want to be portable and have better things to do, use psutil

¯_(ツ)_/¯

Well, I had to use ps -wweo user,cmd to get user/full command on Debian. The problem that I can see going with psutil ( like how I experienced ), is not knowing which ssh command, python command, etc, is causing the issue.

What do you mean

Can't you get the process metadata and find the invocation context using the PID?

You could grab PID and reference that using netstat 😛

Because everyone uses Ubuntu 16

Output of commands doesn't vary by platform

Not at all

Your parser is guaranteed to work

Point taken ¯_(ツ)_/¯

I've learned this the hard way, believe me

Subtle differences between versions and implementations mean you end up writing multiple parsers that you are mostly certain work on some subset of all platforms

Actually, ss -ap should work

Gives PID, connection information, and basic process. Could reference the PID given with something like ps -wweo user,pid,cmd

¯_(ツ)_/¯

Does that work on BSD?

Wouldn't be targetting BSD. My usecase is as long as it works on Linux ¯_(ツ)_/¯

Then by all means

as ps commands go, -wweo user,pid,cmd is probably one of the more portable ones, though -w isn't part of the standard

ps -ww -p [pid] -o user,cmd is probably a more portable way to query information about a specific known process though

since the -e is one of the main sticking points in BSD compatibility

It's not compatible with Windows though 😉

how would I compare a string vs a salted md5 hash in python?

what do you mean by compare

check if the string is the unhashed version

then you'll need some library

I assumed hashlib

yes

but I can't find any docs on that

try looking on yt

all videos seem to just hash the string and check if its the same lul

i cannot find one neither

rip

😔

ask one of the helpers

they might know

I think I'll just do if hashlib.md5(salt + line.encode()).hexdigest() == originl_hash:

try making that into a function

already am 😂

Anyone got some tips for good webinars etc to attend/watch in regards to security in general?

I personally haven't found one worth it's salt.

Hey, I made a password list generator based on info about a specific person rate my work out!!

@maiden fulcrum We do not allow the posting of programs that violate rule 5 of our rules, and that includes your password cracker

!rule 5

LOL "password generator"

@thorn obsidian If you've got nothing useful to contribute don't bother saying it

I mean that's not the most useful statement either is it

I was pointing out the difference 🤦

!tempmute 499340202687332362 2h Not really wise to back sass an admin when they just told you not to do something. Also, going "LOL 'password generator'" isn't "pointing out the difference." Again, if you have nothing constructive to say in a channel that isn't one of the off-topic channels, don't say it

:incoming_envelope: :ok_hand: muted @thorn obsidian until Mon, 20 May 2019 22:03:33 GMT (Not really wise to back sass an admin when they just told you not to do something. Also, going "LOL 'password generator'" isn't "pointing out the difference." Again, if you have nothing constructive to say in a channel that isn't one of the off-topic channels, don't say it).

Jesus, someone's in a bad mood today.

Just taking care of repeat offenders

TeamViewer confirmed today that it has been the victim of a cyber attack which was discovered during the autumn of 2016, but was never disclosed. https://www.spiegel.de/plus/teamviewer-wie-hacker-das-deutsche-vorzeige-start-up-ausspionierten-a-00000000-0002-0001-0000-000163955857 / https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/

I'm trying to setup nginx webroot folder permissions according to principle of least privilege. I'm not sure what's the best approach here. Multiple developers need r/w access to the folder.
Option 1: chown -R root:deploy_group webroot_folder, chmod -R g+s, 764 webroot_folder

Is there a better option?

Option 2: same as above, but add nginx to deploy_group and set permissions to 760 on webroot_folder

which of the two is more sane?

hey guys is it worth it to get into security as a CS major?

brother owns a business in security, he had a masters in CS

but idrk

@thorn obsidian did you get an answer? I'm curious what it was if so. If not, then I personally do chown -R nginx:deploy_group webroot_folder && chmod -R g+s 760 webroot_folder

@simple orchid ps -wweo user,pid,cmd works in my usecase because it gives all PIDs, rather than needing to constantly running ps -ww -p [PID] -o user,cmd

@tough rain , I don't think that would work, because, then, nginx can't read subfolders/files in webroot_folder if it isn't the owner (unless you add it to deploy_group)

https://serverfault.com/a/357109
http://cubicspot.blogspot.com/2017/05/secure-web-server-permissions-that-just.html
I used these as reference and I went with:
chown -R root:deploy_group && chmod -R g+s 775 webroot_folder and umask 002.

what exactly is up with the huawei news?

it seems like trade politics... or is there some kind of breach of consumer trust?

@thorn obsidian indeed you are correct. But then my "deploy_group" isn't a deploy group. It's www-data group specifically created to address that

Okay, so here's my current design scheme:

1. Make a surrogate key used to encrypt data
2. Make a locking key using the user's password
3. XOR the surrogate and locking key together to make an encrypted key and store this key

When someone wants to decrypt

1. Provide their password to unXOR the surrogate&locking key to get the original surrogate key
2. Use the surrogate key to unencrypt the document
3. Provide the document to the enduser

However, when should the decryption happen? There's a few options I'm thinking;

a. Send the encrypted key and the encrypted document to the user and undo the encrypted key using the user password and use the unencrypted key to unencrypt the document and show that to the user (Pros: we're not sending the unencrypted document but we are sending the encrypted key)

b. Have the user send the password and let the server unencrypt the encrypted key which will unencrypt the document and send the unencrypted document back (Pros: we're not sending the encrypted key, Cons: we're sending the document over the internet)

Which option (a or b) should I use? and does this method sound sane?

hello i have a question about nonces and time stamps

we have a problem discussing two-way authentication between A and B. and what would happen if we remove B’s nonce on the reply back to A

i thought nonces were used to verify identity and make sure that a message isn’t being replayed, but i’m being told that if B doesn’t send a nonce A would still be able to verify no replayed message because it can use the nonce it sent to B

A nonce shouldn't be used to verify identity, it doesn't contain any information that authenticates an identity securely. That's what we have public/private keys and certificates for etc. (Asymmetric encryption). Nonces are usually used to verify that a message is arriving for the first time, if the recipient sees the same nonce again it knows that message was replayed and can handle it appropriately. I'm not 100% on what you mean about what you are being told in that context, I may simply be misreading it because I'm tired. As far as I'm aware, no nonce = no way to verify if a message is being replayed or is a legitimate second occurrence of this message (new POST to API endpoint with same data etc).

@unique trout

this is the scenario i was asking about:

so the way i understand it now iss that Bob doesnt need to send the nonce rb --> it would not affect security because Alice does not send back a message so there is nothing they can do with it anyway

mm, I suppose that could be technically true. It's been a few years since I have dabbled in the theory of stuff like this, I tend to handle the practical. If I saw nonces missing from some requests in an application I was testing I would be flagging that up as a flaw.

I suppose it ultimately depends on what the system does with the message.

the question was just how would it affect securityof the protocol

If a replay is genuinely completely irrelevant then so is the nonce. If a replayed message is a threat there's no point not having the nonce in there.

I don't know if my brain can do theory anymore I'm afraid 😄

its okay

i appreciate the help !

No worries.

also i like your pfp : ) haventwatchedinmonthsbutitwassogood

Haha! Brilliant show that, Yato is my favourite main character 😄

Feel free to ping me any time you have questions, perhaps I can be more use on different topics. ¯_(ツ)_/¯

thanks thanks !!

@tough rain , not sure I understand.
if there are multiple users writing to the webroot_folder and the ownership (when you do recursive chown) belongs to nginx:deploy_group (www-data) - with 760 - when users create new folders/files, nginx won't be able to read unless it's in www-data group. is this what you mean?

in my case nginx doesn't need write permissions

if I'm understanding you correctly, in your scenario nginx would get write permissions, which doesn't follow the principle of least privilege, I think.

Indeed.

In my case, I don't want global-anything permissions, which forces xx0.

I use g+s to force group ownership of new files (instead of user's primary group, which is themselves). I mark directories group-executable to ensure group members can traverse into the directories. Group-writable ensures group members can create new files. But the file ownership becomes the user instead of nginx, as you point out. So I added nginx to www-data group to ensure it can still read / traverse the directory.

There is a u+s (contrast with g+s). My understanding is that u+s is aka setuid; so if a directory is u+s then a new file created by a user would keep nginx as the owner.

But then on the other hand, my understanding is that would give a user the ability to pretend they're nginx: anyone in www-data group would have ability to write a file, mark it executable, and then execute it. Because it's u+s (setuid), the executable would be started by the user but it would execute with nginx's uid. Am I mistaken?

If I'm not mistaken, then a tradeoff: I trust nginx more than I trust other users on the same machine.

This problem would likely be solved if I knew more about selinux: make it so that no programs under the www directory could be executed and then problem solved?

as I understand it, you can setuid on folders/files, but Linux ignores it. in your case, nginx would get write permissions, which I don't need.

I'm with you on selinux. I have it set on permissive :(

setgid applies to directories but i don't think setuid does

as I've said. I think Linux ignores setuid (pretty sure)

it does

hmm i wonder if you can accomplish it with ACLs

I think you probably could, but I've read to stay away from it

looks like you can't

you can give the user write permission though https://unix.stackexchange.com/questions/99079/setting-default-username-and-group-for-files-in-directory

I see

but you can do the same with groups

@tough rain , in your scenario, what's your umask for the developers in the www-data group?

Is there a way to force a umask on a directory? Otherwise it's whatever developers would set or override?

you can set (force) umask on the environemnt

umask sets default permissions on newly created directories/files

but users can override the permissions if they have necessary permissions, yes

I'm aware of how umask works. Default umask is 0002, preventing global write by default. But of course a user can override that. I think the fact that a user can override it means changing the default umask less robust. If there's a way to enforce a umask on a particular directory, that would be awesome though

what do you mean that a user can override?

if a user is the owner of a folder/file, it makes sense to be able to override permissions

though, I don't yet have grasp on acl and selinux, I'm positive, you can change that with these systems

I believe a user can set their own umask and create files with different group permissions (as long as compatible/more restrictive with directory's group permissions?)

Hmmm, I think this can be solved by adding one more directory to the tree to the static content. In my case: static content installed to /opt/www/site/index.html -> http://site/index.html

# find /opt/www -exec stat -c '%a %U:%G %n' {} \;

3550 nginx:www-data /opt/www
3775 root:www-data /opt/www/site
664 inetknght:www-data /opt/www/site/index.html

So:
/opt/www:
• no global permissions = exclude everyone except nginx or www-data group. nobody should in general get permission denied for anything under here (there are exceptions, eg someone hardlinked into the directory tree and nobody navigated here from an alternate more-permissive pathname).
• nginx user read/execute (traverse).
• www-data group can read/execute.
• setguid flag to keep group. Not really needed at this level, but there for consistency when doing Root Stuff.
• sticky flag same deal as setguid for now.

/opt/www/site:
• owned by root user to kick nginx into "other" permissions, which is now read/execute.
• Since nobody should be able to get into here except for nginx and www-group users, this should still preserve nobody else getting in (unless someone hardlinks something in the directory tree).
• site is now writeable by www-data users.
• setguid here ensures that files/dirs written by www-data users keeps the group
• sticky here ensures tries to ensure that users don't walk on each other (root will need to resolve conflicts if so)

/opt/www/site/index.html
• inetknght is the user owner because inetknght created the file
• nginx can read, but cannot delete or modify it
• other www-data users can modify it but cannot rename or delete it (not sure how to prevent this short of creating separate user directories which rather defeats the purpose of having a common group anyway)

Hello

what do i need to know as a programmer in the security field and my applications ??

and :How to prevent hackers from reversing my app--->code (which contain important data) (in any langauge and all extentions (exe/jar))

If you don't want hackers to reverse your app back into code then don't let hackers have your app.

@tough rain -_- ,i will do as if i didn't read anything

in any language and all extensions? you put the important bits of the app on a server you own

@autumn holly What inetknght is saying is that any code inside your app will be accessible to hackers, since it is running on their machine. If there is anything that a hacker should not have access to, sensitive information, passwords, access keys etc, it should be stored on the server. If there is critical code which could be manipulated to gain access to something, it should also be on a server. A login verification method for example should be on a server and the username and password sent via an encrypted protocol, HTTPS POST for example for validation there. The server can then return a valid/invalid login message and provide a session. The session must be provided to the server for sensitive information to be served.

Hopefully that answers your question, if not, let me know. (Make sure to ping me, I don't check this server)

That's exactly clearer, thanks! 👍

@chilly flame oh i see now thanx 😃

@tough rain sorry iddnt understad u 😃

@tough rain forgive me for my misunderstand 😃

No problem.

@chilly flame but please

is there is less-level solution?

for running locally

as i am not in the proffessional level to have server

Well it depends entirely on what you are trying to store inside the app.

If it's an AWS key or something else equally important you need to get a server to store that stuff or don't make the app.

I don't think Python is really a good choice when it comes to stuff like obfuscation, and obfuscation is not secure on its own. It's just a stepping stone.

So long as you have hardcoded passwords/sensitive data in your app it doesn't matter what you do with it, someone will find it. @autumn holly

You're fine @autumn holly . We're all about learning here and sometimes language barriers and the textual internet can mask a misunderstanding.

If you don't want someone to disassemble, reverse engineer, and learn how your software works, then the best solution is to not give it to them.

Think of it this way: if you have a program on your computer, what method would you use to look at the source code of the running program? If you know the answer, then ask yourself how you'd block it. If you know how to block it then ask yourself how you'd defeat that block. Then ask again how you would block that un-block.

As you can see, the definition of what you want is recursive. It cannot be answered, certainly not so easily. It is a chase between yin and yang. It could go on forever.

Someone who wants to defeat your block will only need to think a little bit more than you are willing to. If they've used computers their whole life then there is a good chance they already know how to do it without any effort on their end whatsoever.

If I were to ask a different question: if you were to keep a secret, then how would you prevent other people from discovering your secret? Would you tell your family or friends your secret? Would you sell your secret to your customers? Eventually you will have told someone who didn't keep your secret. Software is the same way.

So, best/cheapest/easiest access controls for doors? @thorn obsidian

I think that was about the gist I got

Basically its just to keep track of students without having to spam multiple forms of communication like radios, intercoms, phones, etc.

also for emergency notifications

and students skipping, wandering the halls, out of area

Hmm

Lots of edge cases though

edge cases?

Well, would all the students have one or is this for the faculty?

students and faculty possbily

the badges would also help to ID students on campus

Would be great for colleges I think, but you already have that in a few. I've seen IDs that have a magnetic strip that gets you in/out of the dorms

yeah the students in like elemetary school for example wouldnt need that type of access.

Curious how you'd approach a grade school student forgetting to bring theirs

I think RFID badges already exist for jails/prisons though

This system would provide data on students location so in the event someone needs to know where little Johnny was at 9am Monday then they can also look it up

So a card/id that pings every now and then?

Schools can use incentives for students who dont lose them every grading period and also have a manual checkin

You'd also be hard pressed to get parents on board with something like that

Invading privacy and all that

"Why are you tracking how long my son was in the bathroom?!"

Bc we are concerned about his/her safety and well-being

he's been gone 15 minutes maybe he needs hekpo

]help

I can see approaching access with a card a lot easier than a device/app that pings every now and then.

def would not have a device

So definitely a card/id that pings?

Form factor would be a huge issue as well.

Im not sure about the ping

for factor/

?

Form factor, the size of the card

why?

Well, if I have a device that you would want to ping to check the location of it

It would need to connect to wi-fi/data, right?

yiu said ping not me

lol

This system would provide data on students location so in the event someone needs to know where little Johnny was at 9am Monday then they can also look it up

It sounded like you mean real-time location

no sorry

just a scan and go

Ah, okay. So you just want to know which door they entered/exited

Gotcha

yeah

Yeah, RFID would probably be best case then

we discussed it briefly

It wouldn't prevent someone from cloning the devices, which is why RFID-blocking wallets/passport holders exist

But for ease-of-use, it's definitely the best

If you have an issue with someone in the vacinity possibly cloning the devices, there's always magnetic strip

you should def join us

PM em me

I sent you an invite

the server is only a day old

I didn't receive anything

1 sec

https://www.youtube.com/watch?v=rnmcRTnTNC8 Great talk on physical pentesting

@tough rain i see now ,thank you 😃

I'm currently dealing with a issue with linux code I am making

The program contains a server and a client

The problem is that server needs to be root, to be able to execute docker commands

And client isnt root.

This is very bad, as you can imagine.

So, how to I make sure that the server only accepts POST requests from this one source, and how to I make sure the script is root before running any commands?

server doesn't need ot be root? server just needs to be in a user with docker group?

@tough rain Well you see, I was thinking that

I have quite a few issues.

Do you have time for me to explain the setup?

Sure

Ok so I am building a devops program, called sharpops

To start the runner, you do sharpops --server

It then listens for commands from the client

You run sharpops and it reads the local sharpops.ini file

Sends all the data to sharpops server

And it executes it

So there are lots of security things to consider

1 -I need to make sure server only accepts requests from the client, not a local curl or something

2 - Server and Client need to run as Root, as Server needs to be able to run docker commands

3 -I ideally don't want Server to edit chmod perms.... but this is difficult 

I think 3 and 2 can be fixed by making a sharpops group, that a user called sharpops, and me can access

Then I can make sure only sharpops can access the docker stuff

It isn't ssh'd into

And when it edits files, I can stills access it

@tough rain I'll give you time to read all of this.. let me know what you think

Number 1 is the one that makes my head rumble

I think I have to go with another approach

Why?

Is this all running on one host? Or are server and client on different hosts?

@tough rain Same host

Someone could just curl to server

With any command they want

xd

I can't think of how to make sure it can't escape the program

What you want isn't that someone could just curl to server: that isn't the problem. Curl is powerful enough to masquerade as pretty much any other client, even your own. The real problem is you don't trust other users. That's easily solved using unix sockets and using file ownership users and groups.

Yep. I thought i had to use unix sockets

God dammit xd

Have you got somewhere I can do some reading on how to set that up?

a unix socket isn't much superior to a network socket behind a firewall, or listening on localhost only

Its better than non-sudo

Why do you think that, @tight abyss ?

both can not be accessed from outside

what else do you want to achieve?

Both can be accessed by root. Unix sockets can't be accessed by IP sockets; and unix sockets can be blocked from other users by file and directory permissions. Neither will protect from root of course, but if you're worried about that then you've got bigger problems.

^

Also, Will this mean I can't use windows

?

Cause unix sockets don't work?

okay, if you want to differentiate between regular user accounts on a local system, then yes, use unix sockets

I thought it was just about restricting external access

At least, that's the case in Linux and OS X, which I assume is in use. I'm not familiar with Windows' relatively new implementation but I would be very surprised if they don't have their own ACLs tied to the local domain.

@cedar pelican Windows recently added support for AF_UNIX
https://stackoverflow.com/a/48053310/1111557

I did see that, didn't know if it was the same thing, great ;D

AF_UNIX is the keyword

How do I check if the user is root for the client?

Just read $EUID?

Is that considered safe?

getsockopt(...SO_PEERCRED...)
https://stackoverflow.com/a/18946355/1111557

Specifically that euid, yes

@tough rain The I make sure the socket file has root only-access

?

Yeah, you'd need to make sure it's executable. But something like mkdir -p ~/mysockets && chmod 700 ~/mysockets and then when your socket is created inside that directory, it can only be accessed by you because the directory is only accessible by you.

If you're running docker containers, you can bind-mount that socket into your container using docker -v or via docker-compose: but then you would be exposing that socket to whoever else can run docker. But you'd be doing the same for your client programs anyway: anyone able to use docker can just docker exec into your container. And, doing so, they can change their user ID to anything they want using docker exec --user. So even checking euid isn't good enough if you're using docker.

So if you're using docker then it's should be assumed that root and other users who can use docker can be trusted; so all you really need is file permissions from other users who can't run docker.

sharpops.ini contains commands

That the server executes

that contain scripts with commands for docker

great, so run that as your user. or run that as a user with ssh disabled which would then require you to su or login into that user instead

Yes, something like sharpops

As its own user

yup

Add it to docker group

👍

@tough rain 2 more questions hahaa

If I run chmod 700 ~/mysockets as root, only root can access right?

And, can I make sure sharpops and me can access eachothers files?

For when it runs commands like mkdir

Also: You didn't quite make it clear. If I read $EUID in my code, it will show if the user is root?

If the user does /path/to/your/client /path/to/your/socketfile, then the program is running under their user. If they can access /path/to/your/socketfile, then euid will show their user ID. If they can't access that path, then you will not receive a connection from it.

If the user does sudo /path/to/your/client /path/to/your/socketfile, then sudo elevates your client to root and euid should be 0.

If the user does docker exec --user 0 your-container-name /path/to/your/client /path/to/your/bindmounted/socketfile, then euid should be 0.

And of course if the user is root then euid is 0 too.

Ok cool

If you're meaning $EUID as the environment variantable, then I'm not sure that's accurate.

I want to automate the socket dir and file, that's all

But, I want to make sure it only runs if you are root

And, can I make sure sharpops and me can access eachothers files? this bit too please... thanks a lot by the way

bind: not supported by windows ;/

I'm screwed

rip

@tough rain Any idea how to make http more secure?

Like, could I store a key within the executable or something?

Or, is there a way to store data within 2 instances of the same executable and share them?

I'm not sure on a mixed-user Windows machine with docker tbqh

Yeah

What about a password?

Stored in a read-only root file

That's hashed

Then make the connections https

Give root a known private key/password, and the client must present a cert/hash matching the known value? Yeah that could work.

@tough rain Wait. give root the password, not the hash?

Also: Will https be needed do you think?

Or will https not be needed if user has the hash?

you need to authenticate root: root has the secret.

secret is: "am I root?"

hold up maybe I'm thinking too hard

Can I explain what I mean?

sure

Ok so

Server is root, no changes there

It has access to a few root-only read-only files

And key and a .pem for https

A password file

And some sort of hash-cache

Client then connects through https, ensuring they are root first, and with the specified password

Runs the command

(I don't know much about hashing, you assume I have to store some sort of hash 'key', since it needs to be a constant hash)

Is the client running in docker? Or is that not a thing?

No, the client aint running docker

The server executes docker commands

the client is just there to send what I want to run to the client

[version]
use = 1

[runners]
name = "Sharp Ops Runners"

[runners.compile]
name    = "Run Windows Compiler"
command = "scripts/compile.ps1"

Here is and example sharpops.ini

If they're both running as root and don't need to worry about docker, then just bind only to localhost and do this to check the uid of the running process:
https://stackoverflow.com/a/25431340/1111557

Don't need to encrypt then.

I can't use sockets.

I coding this in golang

There's no support for it anywhere

;/

Wut? How are client and server talking over http without sockets?

😕

@tough rain Wait. I'm being a idio

localhost:8080 is a socket?

RIght?

Is that what you mean?

it's an address

socket is a file descriptor, an integer

When the server listens to that address.

yes, you tell it the address localhost:8080 to bind to

I don't need to confirm both are ROOT

I need to ensure that server only accepts the commands if client send the request

And that's why I wanted https + password

https so no one on localhost can listen... but this might be overkill

What do you think?

password and hash + https or just password and hash?

password and hash would be fine

Ok. Well at least we came up with that

Last issue: can a user be in two groups?

And if so, would it be secure to put my user +sharpops user in one group, while sharpops is in the docker group?

I don't know about two groups on Windows. On linux, yeah absolutely.

Nor do I know much about Windows ACLs

Windows doesn't need any passwords

Because you need to sign in anyways

I develop the app on windows

So having to use sockets would have been a nightmare

But passwords can easily be tested, so great!

I think I can do this now

@tough rain Thanks for all your experience, Ill be sure to let you know when I get the first release of this software on github!

cool!

Hello all

I have looked up stackoverflow and done my homework before asking this question here,
I wanted to get IPs from a list of websites

First I used:
`
import socket
with open("targets.txt", "r") as ins:
for line in ins:
print(socket.gethostbyname(line.strip()))

`

but for some reason it stopped after getting some IPs, my internet was fine I made sure of it, I have like more than 5mbps down here so it's not a problem, but there was an error in the code after the process stopped

Second I used:
nmap -iL targets.txt -oG - | grep "/open" | awk '{ print $2 }' > results.txt
This worked but nmap works very slow and it was a lot time consuming for me, I wanted to use ping/nslookup as they work very fast but i don't think they allowed features like this, all I want to do is enumerate IPs from a list of websites using bash/python, any idea?

what exactly were the errors you got?

This was the error:

> python listBased-ip-finder.py > shift.txt
Traceback (most recent call last):
  File "listBased-ip-finder.py", line 4, in <module>
    print(socket.gethostbyname(line.strip()))
socket.gaierror: [Errno 11001] getaddrinfo failed

I could only get 175 IPs as a result

what i understood after googling so far was that some hosts can't be resolved, my bash script gives an error like "Can't resolve "domain.com" and ignore them but python closes the session at all

probably one of your addresses is wrongly formatted. Try putting a print(repr(line.strip())) as first thing inside the loop, to see on which argument it breaks exactly, and check if that one looks weird or different from the others

and yes, if Python encounters an exception that is not caught anywhere, it exits

if you want to handle exceptions, wrap the code that causes them in a try/except block

okay thanks, will do

Solved

How do I go around testing if my program was executed with root permissions? I've head of things likeegid but it seems like env vars like this can be changed

Anyone got any ideas?

shell or python?

Neither. xd

Well, in theory you can execute shell, But how does the answer differ for either of them? Or are you talking about syntax?

now I'm confused what you're actually asking

you only need to check if your user id is 0, no?

Yes.

"Securely"

From looking on the internet, using user id is 0 is a terrible idea

Well, couple questions

1. Why do you care if the user is root?

My program, on first run, creates a secret.pem file

And a hash + salt is stored in it

I want to make sure only root can access this file, therefore, root must create the file

So to make sure users don't make it insecure, I need to make sure they are root.

I had another reason in my head.... its gone now xd

Though, the user's are the one running it.

Also, I don't see you setting permissions properly on these files assuming the user is root

Something like 400 for root should work if you're worried about sketchiness

Yeah, in my code i set it to 400

I need it to be root as I don't want the user to be able to access this file.

I.e my ssh account being broken into

Ah, that was the reason haha

Now I'm confused

You bring up a secret.pem which contains a hash+salt. What does SSH have to do with it?

Ok so. its a piece of devops server

with a http server

So lets say I am naughty man no 2

I somehow get onto my server

Run a curl command to try and execute code on this rooted http serever

I can't: its password protected

But, since he got into my account, and the secret.pem is not rooted

He now has the hash: not a super bad thing: but still annoying

sharp since when are you using private key authentication for your thing?

werent you gonna do password stuff?

Nix what do you call files like that

cause what scott right here is probably confused about is the fact that you are bringing up a PEM file which is the file format for storing SSL and SSH keys

I just did .pem because it has a nice vscode icon xd

https://i.mcaq.me/di36.png

yeah dont otherwise you confuse people

What's the correct extension?

.txt .dat anything

but not .pem

@thorn obsidian sharp just doesnt know about the .pem extension and its proper use there is no SSH involved

Gotcha

Anyone good with xor ciphers able to give me a quick rundown on a process to find a key is when you have the known text and ciphertext? I've googled around yes but come up blank

so basically if you XOR something you do the following (+ is gonna be the sign for XOR in the following as its usually represented with a plus and a circle around it which idk how to type)

cleartext + key = ciphertext

and now there is an interesting thing with XOR, it's its own inverse operation, like for example - is the inverse operation to plus, that leads us to the fact that we can simply do

key = cleartext + ciphertext

@civic widget

@orchid notch alright, so I assume I then do something like um. Make the clear text and cipher text into binary and do or stuff so 1001 clear text and 10 cipher would be like. Uhh ok slightly lost rn but I'll fetch the actual text

Ciphertext in base64 Plaintext
bVQwJ2M3K0pCIjQm Test message

Ciphertext decoded from base 64, pre sure
mT0'c7+JB"4& - Test message

if you do this in python it doesnt matter in which form your numbers are, by hand youd have to convert it into binary first yes

I think I'll do it by hand tbh so I can get the feeling behind it if that makes sense

Otherwise I'll try figure out how to do it in python

>>> import base64
>>> base64.b64decode("bVQwJ2M3K0pCIjQm".encode())
b'mT0\'c7+JB"4&'
>>> for char in _:
...     print(char)
...
109
84
48
39
99
55
43
74
66
34
52
38

and now you gotta do the XOR thing with these numbers I just showed

Can you please expand on the xor thing. I'm sorry I haven't been able to get my head around how it actually works despite my research

I'll go give it another bit or research and try in the meantime though

did you already understand what xor does on a binary level?

I've seen it on binary level and semi understand what it's doing and why

so basically if we apply an operation to two single digit binary numbers there are four possibilities

1 0
0 1
0 0
1 1

yea

and what XOR says is if both sides contain exactly one 1 output 1 otherwise 0

so
1 + 0 = 1

0 + 1 = 1
1 + 1 = 0
0 + 0 = 0

(again using plus as XOR here)

ok now that makes more sense, what i saw online was just some examples showing it without explaining

right

now back to normal mathematics (+ is again and actual +)

if we have
1 + 0 = 1
we can rewrite this to for example
1 - 1 = 0

ooor
1 - 0 = 1

right?

ok

and now the special part of XOR comes in, XOR does not have a minus like plus does its basically its own minus

because (plus again for XOR now)
1 + 0 = 1
1 + 1 = 0
0 + 1 = 1

(the lower two are just rewritten forms of the upper one)

yea

so basicly i need to take the numbers you showed above, convert to binary for both them and then do it for plaintext i assume, do xor and then the key is the output taking that binary back to text

I think, unless ive got the xor idea wrong still aha

and where this idea is basically getting us is (+ for XOR)

a + b = c
-> c + b = a

and if we consider XOR encryption we get
key + cleartext = ciphertext
-> cipertext + cleartext = key

yea

Would you say, try do this in binary by hand or just use python? In terms of simplicity

i mean in python you can type ^ for XOR so thats gonna be simpler

alright

does it require any imports to work or is it just like, get the chars from both and ^ somewhere

no imports whatsoever

its a builtin operation

Sweet then

I shall attempt to look up some python stuff for it and try do it aha

@orchid notch so with the numbers, i assume i just store in a like list then use something like a ^ b

yup

(might as well just check your assumptions 😉 )

Ill work on some code and come back

oof
b'mT0\'c7+JB"4&' b'Test message' [109, 84, 48, 39, 99, 55, 43, 74, 66, 34, 52, 38] [109, 84, 48, 39, 99, 55, 43, 74, 66, 34, 52, 38]

1st and 3rd line - 2nd and 3rd line are same

looks promising ahaha

>>> for c in x:print(c)
...
109
84
48
39
99
55
43
74
66
34
52
38
>>> for c in y:print(c)
...
84
101
115
116
32
109
101
115
115
97
103
101
>>>

(x is 1st y 2nd line)

import base64
dc = []
pc = []
decodedCipher = base64.b64decode("bVQwJ2M3K0pCIjQm".encode())
plainText = b'Test message'
print(decodedCipher)
print(plainText)
for char in decodedCipher:
    dc.append(char)
print(dc)
for char in plainText:
    pc.append(char)
print(dc)
key = []
for i in range(len(dc)):
    key.append(dc[i] ^ pc[i])
print(key)

oof ok we did different things oops

yeah well you double print dc

that makes somewhat of a difference

didnt see that my bad im sorry lmao

all good dont worry

fixed, i see now

key output is [57, 49, 67, 83, 67, 90, 78, 57, 49, 67, 83, 67]

is it correct?

i assume i then need to change that from its current state into something in order to prove its right?

or reverse the process so i use key and plaintext to try get a cipher 🤔

give me a sec

imma do that

(you might as well just output the key and check if it matches lol)

wdym by matches im sorry i didnt get that far lmao

you do already have a key dont you?

or is the key unknown for you

No, keys unknown

i only have known plain text and the cipher

I mean it is mathematically impossible to be wrong if you implemented the process correctly

and i just realised that the key i just did is wrong anyway due to the for loop

"if you implemented the process correctly", pc is longer than dc but dc defines loop length so lemme change that

no ive gone wrong im my math i think

i get the same key as yyou do

>>> key = []
>>> for idx, c in enumerate(x):
...     key.append(c ^ y[idx])
...
>>> key
[57, 49, 67, 83, 67, 90, 78, 57, 49, 67, 83, 67]
>>> for idx, c in enumerate(x):
...     print(c ^ key[idx])
...
84
101
115
116
32
109
101
115
115
97
103
101
>>> y
b'Test message'
>>> for c in y:print(c)
...
84
101
115
116
32
109
101
115
115
97
103
101
>>>

works out perfectly

I think so yea
i added this aswell to reverse it to get the cipher using the key we get from plaintext + cipher and its the same

text = []
for i in range(len(plainText)):
    text.append(plainText[i] ^ key[i])
text = "".join(map(chr, text))
print(text)```

mT0'c7+JB"4& is the output the original cipher was mT0\'c7+JB"4& so yea 😃

i feel proud despite you doing basicly everything lol

if you actually understood what we are doing and why it works out you have all right to be proud

I do have another piece of text and cipher I can use to test the key so let me try that 😃

@orchid notch slight issue when finding text using the key, given the cipher is longer then the key and the for loop cant do every piece of data if that makes sense and defining a loop with the cipher length is out of bounds errors cos the key isnt long enough

xor keys loop, i think? so i could just restart the key from the first part and continue or am i wrong in that

import base64
dc = []
key = [57, 49, 67, 83, 67, 90, 78, 57, 49, 67, 83, 67]
decodedCipher = base64.b64decode("bVkmcyU2L14RKiBjMiddVSY9YzgrVV40".encode())
for char in decodedCipher:
    dc.append(char)
print(f"The cipher is {dc}")
print(f"The key is: {key}")
text = []
for i in range(len(key)):
    text.append(key[i] ^ dc[i])
text = "".join(map(chr, text))
print(text)```
heres the current code for reference

well if the cipher is longer than the key its likely that he did something like

chunk1 + cipher
chunk2 + cipher
chunk3 + chipher
and so on

so say, working with the key and cipher here to find the text. Id split the cipher up into chunks the same length as the key i assume

yeah apart from the last one

the last chunk might be shorter than the key

yea

ill go try and do that now

Ok i got kinda lost tryna split it up because it wasnt working in the code

Any help splitting/doing this would be appreciated

@orchid notch So im thinking maybe using a for loop to split it up otherwise im sorta getting slightly lost attempting to complete it within the code automatically rather then key it and manually splitting it

well youd use some sort of for loop and a slice

do you know slices already?

not well no

right so if you got a list in python you can slice it in basically three ways

x = [1,2,2,3,4,5,6,7,8,9]
x[idx:] # every element from idx to the end
x[:idx] # every element up to idx
x[idx1:idx2] # every element from idx1 to idx2 (what you want)

right

Im assuming using a key len variable to slice it something like

x[0:len of key]

then that would change to something like
x[len of key: 2xlen key] so on

youd do something like

key_len = length of your key
text_len = length of your text
for counter in the range 0 to text_len/key_len
    if (counter+1) * key_len > text_len
        chunk = slice text from counter * key_len to last element of text
    else
        chunk = slice text from counter * key_len to (counter + 1) * key_len

👀

however luckily you can save up that if statement as for example

x = [1,2,3,4]
x[2:100]

returns [3,4]

(praise python for that)

right

then i take those chunks and iterate over them doing the xor stuff

yes

Thanks, i shall attempt it 👍
ill be back in a couple

Oopsies

Ahaha so the first chunk part works

the next ones dont

I get the two chunks split which works just gotta get the logic on the xor now
[109, 89, 38, 115, 37, 54, 47, 94, 17, 42, 32, 99] [50, 39, 93, 85, 38, 61, 99, 56, 43, 85, 94, 52]
chunks ^
output with this code

key_len = len(key)
text_len = len(dc)
for counter in range(0, text_len):
    if (counter+1) * key_len > text_len:
        chunk = dc[counter*key_len: text_len] #slice text from counter * key_len to last element of text
    else:
        chunk = dc[counter*key_len: (counter+1) * key_len] #slice text from counter * key_len to (counter + 1) * key_len

    print(chunk)
    for i in range(len(chunk)):
        text.append(key[i] ^ chunk[i])```

The flag is eg-

w

@orchid notch Sorry about the tag aha

no no no you didnt listen

you dont have to do the if statement

python takes care of that for you automagically

ahaha my bad ill go try change it

doing just
dc[counter*key_len:(counter+1)*key_len]
is fine

alright

still just concerned with my last for inside the other loop to go about the other chunks with xor

i mean your code looks fine to me

the first chunk works

the second chunk then comes out with eg-


maybe its the key 🤷

can i have your message and key?

bVkmcyU2L14RKiBjMiddVSY9YzgrVV40 - The flag is hidden below

the key should be the same as the last one, which we found to be
key = [57, 49, 67, 83, 67, 90, 78, 57, 49, 67, 83, 67]

is the flag a hash?

oh its hidden below

hm hm hm

wait no lemme double check this

that ive done everything right

no no i get the same as you do

Ciphertext in base64 Plaintext
bVQwJ2M3K0pCIjQm Test message
key = [57, 49, 67, 83, 67, 90, 78, 57, 49, 67, 83, 67]
bVkmcyU2L14RKiBjMiddVSY9YzgrVV40 The flag is hidden below
key = [57, 49, 67, 83, 67, 90, 78, 57, 49, 67, 83, 67, 90, 78, 57, 49, 67, 83, 67, 90, 78, 57, 49, 67]
X10iNHk5fQ4HIGBxPnwPU3c= [REDACTED]

Heres how far i got before dying
Ciphertext decoded from base64
mT0'c7+JB"4& - Test message
mY&s%6/^\x11* c2']U&=c8+U^4 - The flag is hidden below
_]"4y9}\x0e\x07 `q>|\x0fSw - [Unknown flag]

I need to find the key so i can then use it on the last cipher to get the 'flag'

these ciphers here are for testing purposes to make sure the keys right

the keys seem somewhat different actually by 2

if i encrypt your flag text and then decrypt it with our method it works out fine

so i doubt thats the issue

right

are you sure that is the clear text you think it is

bVkmcyU2L14RKiBjUVgnNyY0bltULzw0

https://gyazo.com/a696bf6597b7d3ffe6e6914e673ec5ed

becasuse this would be the correct b64 for us

Ciphertext in base64 Plaintext
bVQwJ2M3K0pCIjQm Test message
ekghNjF6HVxSNiEqLjcZcisyLzYrV1Ym Cyber Security Challenge
bVkmcyU2L14RKiBjMiddVSY9YzgrVV40 The flag is hidden below
X10iNHk5fQ4HIGBxPnwPU3c= [REDACTED]

even if i binarize both and use some online service i get different results

yea...

so this is where i run out of ideas sorry

Its alright dude, still helped me understand xor more

the text for the flag should come out to a "Flag should be 12 alphanumeric characters"

flag:c376c32
Currently have 7 😂

given the cipher for it is The cipher is [95, 93, 34, 52, 121, 57, 125, 14, 7, 32, 96, 113, 62, 124, 15, 83, 119]
i think i can manually do it given we know the first part, ill slice it and get the last part

So i used the short key to get the orignal part right, it just didn't do the ending. Then i used the longer key from the other part and redid it and it gave me the entire thing so then i cross check them and the start of the first one matched with what this key gave me so i went with it. Last one should be flag:c376c32d26b4

@orchid notch I'd just like to thank you for all the help 🙏
And tomorrow night imma have a go at another challenge 😆
https://gyazo.com/e6f8d1dc60ea4c08bee5bab59b839f5c

youre welcome

👍

Apparently there was a "bonus flag" somewhere in there but i wouldnt know where

Hello

Is there any alternative for this:

nmap --open -p 80 -iL ip-ranges.txt -oG - | grep "/open" | awk '{ print $2 }' > exit.txt

The above is a bash script that makes use of nmap to enumerate hosts with open 80 ports from a range of ip addresses

but the process is very slow, I been looking around in github and stackoverflow but the tools (python/bash) are either too large or they can't enumerate ranges the same way as nmap does

Do anyone have any suggestion, is there any tool faster than this?

no, nmap is the fastest @earnest ridge

you can try other nmap methods

@mint narwhal if you scan a port without root priviliges nmap will use a full connect scan, a syn scan (which should be default when running with root and the -sS flag) should be the fastest

the fastest is the -P ping scan

no

but it doesn't scan ports 😄

that discovers wether a host is up

yeah

the syn scan is for scanning a single port

basically what it odes in your mode is perform a full tcp connect so
syn
ack
syn ack

with a syn scan it just does the syn

thanks @mint narwhal & @orchid notch

There are also speed presets available on -T1 through -T4.

I usually end up using -T4.

@earnest ridge

nmap -T4 -sS --open -p 80 -iL ip-ranges.txt -oG - | grep "/open" | awk '{ print $2 }' > exit.txt

For example.

Thanks @chilly flame

Random question but what information do you give out when connecting to an IRC server?

Just IP and the information of whatever irc client you are using?

Do they see your system information or MAC address or so?

does anyone know how to develop a secure licensing system for python? I would also like to prevent the user from using it on more than one device at a time

I'm not looking for a full solution or code (unless a GitHub repo already exists), more just a general outline of each of the individual steps and practices required that I can then develop myself

@junior summit the IRC protocol is pretty heavily detailed and documented, you should be able to find out exactly what information is supposed to be provided in the RFC. https://tools.ietf.org/html/rfc1459

@ocean otter I'm not intimately familiar with such solutions, perhaps someone else that reads that channel is and can give you a better answer. If you're just looking to learn/figure something out I'm sure I can give you some pointers but if it's for a commercial solution you may have to look elsewhere.

There ought to be some open source Python licensing systems out there.

@chilly flame yeah it is commercial

I've looked but I haven't really found much

Nix is a regular in this channel from what I have seen, you might want to try tagging him. I'm sure he's more of a dev than me. I'm more of a pentester who uses Python than an actual Python dev 😃

@orchid notch any ideas? ^

Not into licensing at all, sorry

I'm sure you could make something up with digital signatures though

not rly programming related, but can someone recommend firefox security addons that do not require you to basically give them full access to everything you are doing? or is that maybe just a general requirement for every addon? was using stuff like ublock before and had do reinstall firefox.. i cant remember that it asked for millions of permissions when i first installed it

@humble leaf uBlock Origin, HTTPS Everywhere, NoScript

uMatrix if you need it as well

thanks for the recommendation, as i said i wanted to go with ublock anyways... im just confused why it asks for so many permissions

For any concerns with uBlock Origin, you're free to look at https://github.com/gorhill/uBlock

so the code is actually public

Yes

well that is something at least

Permissions essentially mean nothing when it comes to good add-ons that are known for not siphoning information ( i.e., the ones I listed )

I can't say the same thing for other add-ons though.

i mean if the code is public that is a totally different story

but id be very worried if it wasnt

All of the ones I listed I believe are open. Let me double-check on NoScript

im not sure i can live with noscript tbh, i remember using it a few years ago and all the sites broke lol

and it was a pain to keep giving permissions

https://github.com/hackademix/noscript/

I've been using it for nearly 10 years ¯_(ツ)_/¯

Actually, since 2005 - nearly 15.

hmmm, and you can use all the sites you like without trouble?

It certainly takes some getting used to

But yes, all the sites I go to are working. NoScript even has a mobile Firefox version you can use

noscript's great, but takes a lot of work to get going

I dropped it when they reworked their UI

in favour of uMatrix, which gives even more fine-grained control

but yes, it also breaks sites more by default and you often need a couple iterations to get a new site working

on the other hand it's pretty interesting to examine what stuff each site loads and embeds

@tight abyss more fine-grained control?

Can you explain? uMatrix does ABE, XSS/Clickjacking protection?

NoScript is also on the Tor Browser, and has been recommended by Edward Snowden.. so I think I'd prefer to use NoScript as opposed to uMatrix if I had to pick between the two.
Though, if you want to block specific things on specific sites, uMatrix works for that. It's just not a replacement for what NoScript provides.

Attempting to find a 12 digit alphanumeric code hiden within an image. The image is png if that makes any difference. Have looked into autopsy to get some data out of it but its bugging out for me so any ideas for how to approach it? Image doesnt appear to get anything from photo editors manipulating things etc

Hi, DNSSEC with python library, does anyone know how do it ?
https://stackoverflow.com/questions/56330915/how-to-get-validate-dnssec-with-python

https://support.cloudflare.com/hc/en-us/articles/200170416-End-to-end-HTTPS-with-Cloudflare-Part-3-SSL-options
what are legitimate good reasons for them to offer anything but off and full (strict)?

I suspect Flexible exists for the purpose of supporting origin servers which don't support HTTPS, they shouldn't exist but sadly, they do :P
Non strict full exists so the origin server can use a self signed certificate, or a certificate with a CA not recognised by Cloudflare. @thorn obsidian

@civic widget Have you tried running Strings over the file?

@obsidian vector There are tools for verifying DNSSEC setups out there already, do you need to make it yourself or are you just looking for such a tool?

@chilly flame , Non strict full can also mean that any bad with a certificate can pretend to be you. Am I wrong?

@chilly flame I did try. Either the way I did it was wrong or it ain't gonna wanna work

also, why does cloudflare support these origin servers?

It depends on the context to be fair rixo, sometimes self signed certs are fine. I've seen organisations that are their own CA, but aren't recognised by bigger orgs.

@civic widget did you try setting the -n 12 option?

That should give you 12 character and above strings only.

No? I did not

I'll look into that later on then

Feel free to tag me again and maybe I can think of something else. It's been a while since I touched steg though.

I'lls prob look into it in a few hours so thanks and will do👍

Happy to help 😃

if I'm not mistaken, cloudflare doesn't validate certificates on 'only' full. doesn't that mean a bad actor can pretend to be the origin?

It's quite possible, but they'd probably need to edit the DNS zone to get off a large scale attack, which means they'd need access to that too. The Full option isn't inherently insecure, but it definitely could be if mis-used.

TOFFster said: Guaz There are tools for verifying DNSSEC setups out there already, do you need to make it yourself or are you just looking for such a tool?

@chilly flame Just for a tool

Already implemented in python 😃

I see. I thought it was easy to break this. But is there any excuse for flexible to exist?

Yeah definitely, imagine you have a product which doesn't support HTTPS, you could use Cloudflare like a reverse proxy. God knows why you wouldn't just use nginx as a reverse proxy though!

I can't see why you'd do it but you could haha.

can you give me an example of such a product? and if it doesn;t support HTTPS, why would it pretend it does?

An example of a product I would put behind an nginx reverse proxy could probably be found amongst Atlassian's suite of products.

They natively support SSL but it's a nightmare to get rolling.

BitBucket/Confluence/JIRA for example are easier to run as HTTP with an HTTPS reverse proxy.

It also saves having to update SSL certs in both places and manage SSL settings in both places, you just do it on the reverse proxy.

The reason you would do it would be so you could encrypt traffic between clients and the server even if the product doesn't normally support it.

@obsidian vector Sadly I can't think of any.

@chilly flame Any other tools then, out of python 😃 ?
Becouse dnsknife and dns libraries telling their doing it, but no one of them really can on mine PC, maybe i have some screwed in my PC configuration?

I remember there's a really good one online, that does all kinds of DNS zone checks.

sorry, I meant what product that doesn't support HTTPS would you put behind Cloudflare reverse proxy?

I forget the name though, I will look later.

No idea off the top of my head rixo, sysadmin isn't my area of expertise.

does that mean you can't think of a good reason why cloudflare supports flexible?

Not an exact one, it seems odd doesn't it? 😛

It'll be along those lines I mentioned earlier though.

Okay, if you recall, i'll be gratefull.

but, IMHO, those lines don't cut it, or do they? the traffic coming out of cloudflare on flexible is free for all, isn't it?

also when you said ...but they'd probably need to edit the DNS zone to get off a large scale attack, - what about a targeted attack?

@chilly flame , you haven't given me a legitimate reason why cloudflare would offer those options, but I appreciate your input

@obsidian vector https://mxtoolbox.com/NetworkTools.aspx

Might be on there.

Well to intercept the HTTP traffic an attacker would need to be between the cloudflare server and the origin @thorn obsidian

Which is a much more difficult prospect than being between the client and cloudflare.

There are a lot of legacy programs that do not support https.

That's why it exists

Or have broken/half-baked implementations

https://twitter.com/taviso/status/1133384839321853954/photo/1 Exploit in Notepad.

What version of Windows is this in? hahah

i'm trying to do a box on hack the box, i wrote a small script to fuzz a parameter can i ask help for it or am i going against your policy ?

i'm getting IndexError: list index out of range

Paste your code, and the line number of the error.

@spiral iron do you mind if i DM you because it's not a ritired box on hack the box

@thorn obsidian I'd rather you didn't. If there is any sensitive information, just leave it out or change it to dummy values.

there are no sensitive information but the code can be used to finish the challenge easily, that's why i didn't wanted to paste it here.

Are you worried that other people will copy your code and use it to unfairly gain ranking on this site?

yep

And why is this bad for you?

because it's against the TOS of hack the box to share solutions to a challenge

Ok, then don't paste the entire solution, just paste a snippet of the code you're having trouble with.

ok

  File "fuzzer.py", line 81, in <module>
    main()
  File "fuzzer.py", line 79, in main
    busterMode("common.txt")
  File "fuzzer.py", line 71, in busterMode
    if (decryptPage("http://127.0.0.1/dev/"+tmp,"search", "1") == 1):
  File "fuzzer.py", line 46, in decryptPage
    decb64 = str(decrypted.contents[0].encode('utf-8'))
IndexError: list index out of range```

Your error is coming from inside decryptPage()

what object is decrypted?

Is that a response from the server?

def decryptPage(comm, outFile, mode):
    data = {}
    data['cipher']="RC4"
    data['url']="http://<my ip address>:<my port>/www/"+outFile
    page = s.post(url2, params=data)
    soup = BeautifulSoup(page.content, "html.parser")
    decrypted = soup.findAll("textarea")[0]
    decb64 = str(decrypted.contents[0].encode('utf-8'))
    dec = b64.b64decode(decb64)
    if(mode == "0"):
        print(dec)
    if(mode == "1"):
        return 1
    f = open("../"+outFile+".html", "wb")
    f.write(dec)
    f.close()
else:
    if(mode == "0"):
        print("Page not found! Try again!")
    if(mode == "1"):
        return 0

yeah, so bs4 didn't find any "textarea" tags

what do you mean

print decrypted

ok

<textarea class="form-control" id="output" name="textarea" rows="20"></textarea>

What about contents

do you mean that i should print the content and not textarea ?

for textarea i mean GQ==

Is the variable "decrypted" containing a string?

it should contain GQ==

<textarea class="form-control" name="textarea" rows="20" id="output">GQ==</textarea>

do you think that i should use regex to match that >content<

i mean if it's like this >< i should tell the code to break and go to the next fuzzing word else use the content

https://github.com/martinvigo/voicemailautomator This is why I don't even have voicemail enabled. ᕕ(ᐛ)ᕗ

News of The World broke into a missing girl's voicemail system ( https://www.theguardian.com/uk/2011/jul/04/milly-dowler-voicemail-hacked-news-of-world ), so if they can do it I imagine anyone targeting someone could do it as well using something like the above.

@thorn obsidian Ok, so the problem is that your code is expecting the textarea tag to contain something, but it's empty.

decrypted.contents[0] This retrieves the first element contained within the textarea tag, but since it's empty, you get an empty list and then you index out of bounds.

You're also only looking at the first instance of a textarea tag in the document.

Is the first one not the one you are interested in?

def decryptPage(comm, outFile, mode):
    regex = r"(?<=>)(.*)(?=<)"    
    data = {}
    data['cipher']="RC4"
    data['url']="http://<my ip address>:<my port>/www/"+outFile
    page = s.post(url2, params=data)
    soup = BeautifulSoup(page.content, "html.parser")
    decrypted = soup.findAll("textarea")[0]
    matches = re.search(regex, decrypted, re.DOTALL)
    content = matches.group(0)
    if content != "":
        print(content)
        print("continuo")
        decb64 = str(content.encode('utf-8'))
        dec = b64.b64decode(decb64)
        if(mode == "0"):
            print(dec)
        if(mode == "1"):
            return 1
        f = open("../"+outFile+".html", "wb")
        f.write(dec)
        f.close()
    else:
        print("rompo")
        if(mode == "0"):
            print("Page not found! Try again!")
        if(mode == "1"):
            return 0

i added some regex

I don't think that's going to help.

😦

The textarea tag you're looking at has no contents to match.

What does soup.findAll("textarea") return? (without the [0])

let me try

How would I go about confirming is an encryption key is correct, without storing it?

Im going for an approach of not having a login system, but instead just encrypting the data with the password of a user, the password is used to decrypt the data before sending it. But i dont wanna send data if it's not correctly decrypted

@silent pier a very common way would be to also store a hash of the data, then once you are done with your decryption hash your clear text and check if the hashes match

oor you could for example use something like AES-GCM which actively errors on wrong keys by design

Hash approach sounds easy enough 🤔

yeah it sure does, would just be one more value to store vs AES-GCM with no additional values to store

but thats ultimately up to you

I don't have many values to store to begin with

it's just going to be a json of nested data, with a username

and with a small hash that wont be much in addition

Yeah definitely, go for the hash one then 👍

Thanks 👍